All exact science is based on approximation. If a man tells you he knows a thing exactly, then you can be safe in inferring that you are speaking to an inexact man.

This is one of the talks I gave at our weekly Thursday seminar – register here for the Webinar

The talk discusses how data security metrics can be used in a value-based approach to security, providing examples of security metrics and a number of practical measurement techniques.  The talk also shows how security metrics are used in quantitative risk modeling in order to calculate Value at Risk of information assets and justify security investments by reducing risk at lower costs.

I’ve been thinking recently about how most of our clients don’t collect security metrics. Then I got thinking about how there are anti-design patterns that typify firms with a higher level of vulnerability to a major data loss event.

Running security is not different from running a business – you have assets and threats, vulnerabilities and resources to protect the assets. There are widely accepted and practiced revenue models, costing models and performance metrics for businesses of all shapes and sizes, yet information security has not reached this stage of maturity. Taking two security standards as an example (ISO27001/27002 and PCI DSS 1.2) – it is clear that a well-structured list of security controls is not a substitute for measuring security control effectiveness.

So – how can we use anti-design patterns for diagnosing a firm with potential security issues?

Let’s start by looking how a typical business uses metrics.

To cost a product or service, a distribution business uses mark up margins, a manufacturing unit uses bill of material costing and a professional services firm uses standard and activity costing. In order to evaluate cash flow, we measure cash flow from operations, or free cash flow (FCF) – which is cash produced rom operations, less capital expenditures. FCF omits the cost of debt but provides an objective indicator that can be measured every week, every quarter, every month of the year.  We know a major supermarket chain that lost $5M in business to competitors in the holiday season after their purchase prices of fresh produce were leaked to a competitor by an employee. The firm reacted with locked doors and cameras, but locked doors and cameras cannot mitigate the threat of employees with wireless access to Webmail.

Here are 6  anti-design patterns that I would propose:

• Data security spending is driven by privacy regulation
• Gartner Group/IDC/Forrester white papers are a key input for information security purchasing
• The CSO meets at least 5 new product vendors a month
• The purchasing cycle of  new security technology takes 9-15 months (3x slower than the introduction of new security threats)
• Cutting back on security head count during restructuring
• The CTO never personally sold or installed one of the company’s products

If you answered YES to 4 out of the above 6 anti-design patterns, I would recommend the following:

1. Setup indicators and publish them once a week on the company Intranet for everyone to see. Start with 3 indicators: the number of network anomalies your IDS found that week, your current patch cycle time and how much overtime your security staff worked that week.
2. Do continuous security audits. Purchase a tool for network audit and run it once a week on a different part of the network. The guys over in the warehouse stopped doing full physical counts once a year 15 years ago, they count a little bit of inventory every day with hand-held barcode terminals. Get a consultant to help you set it up and run it yourself.
3. Run security awareness programs. Make the number of training hours one of your indicators
4. Build a threat model and maintain database of your key assets, threats and vulnerabilities and start building a threat model today.
5. Define your competitive strategy for infosec operations. Is it low cost? Is it single vendor? Is it Linux desktops? Is it end-point security focus?
6. Think how activities can reinforce each other – for example by installing personal firewall software that reports on intrusion attempts to a central server so that you can plan your response to future attacks.
7. Identify sets of activites that optimize your efforts. Perhaps you have a totally flat network with a spagetthi plate of servers and workstations today. Segment the network into VLAN’s, put the application servers on one segment, the data servers on another and client workstations on departmental segments and so forth. Performance and security will improve and you’ll be able to monitor content effectively. You’ll spend less time firefighting and more time thinking.
8. Install your company’s products yourself. After you do that, follow a customer home and watch how they do the install, time it and take notes. Update the threat model with your findings.